nmap is a tool that lets you discover hosts on your network and what ports those hosts have open.

nmap is not 100% accurate. It uses a variety of methods at different levels of the networking stack to detect hosts and their open ports.

One really cool feature of nmap is that it can use the subtle differences in networking implementations between Windows, OS X, and Linux to determine which operating system a host is running.

Installation

To install nmap, if you’re on OS X and use brew, just run:

brew install nmap

Otherwise, see the install guide.

Scanning your local network

Let’s scan your home network. If you’re on a public wifi network, it’d be best to wait until you got back home. You can get in trouble using nmap to scan computers you don’t have the permission to scan.

First, determine what address range your local network uses. You can use this command to figure it out:

ifconfig | grep -w '10.0\|192.168'

Here’s the command we’ll use. I’ll explain each part.

sudo nmap -O -v 10.0.0.1/24

-O tells nmap we want it to try to figure out the operating system of each host it finds. Using this flag means we need to use sudo to run nmap.

-v turns on verbose mode. You can make it -vv for extra verbosity.

The /24 at the end denotes the subnet we want to scan. In this case, 10.0.0.1/24 means every address between 10.0.0.1 and 10.0.0.255.

nmap does a lot for you automatically. We didn’t specify the type of scanning we want it to do, so it uses a combination of techniques to discover hosts and scan ports. You can read more about the scanning options available to you by looking at man nmap.

Go ahead and run the command to see the hosts on your network 😎

sudo nmap -O -v 10.0.0.1/24

More?

Check out the nmap documentation to continue your nmap adventures.